CVE-2025-24964
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems running Vitest with the API server enabled. Attackers can exploit Cross-site WebSocket hijacking to inject malicious code into test files and trigger execution. Users running Vitest with the API option enabled (including Vitest UI users) are affected.
💻 Affected Systems
- Vitest
📦 What is this software?
Vitest by Vitest.dev
Vitest by Vitest.dev
Vitest by Vitest.dev
Vitest by Vitest.dev
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Remote code execution allowing attackers to run arbitrary commands, steal sensitive data, or install malware on the developer's machine.
If Mitigated
No impact if API server is disabled or proper network segmentation isolates the Vitest instance from untrusted networks.
🎯 Exploit Status
Exploitation requires the victim to visit a malicious website while Vitest API server is running. No authentication needed to access WebSocket APIs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.1, 2.1.9, or 3.0.5 depending on major version
Vendor Advisory: https://github.com/vitest-dev/vitest/security/advisories/GHSA-9crc-q9x8-hgqq
Restart Required: Yes
Instructions:
1. Identify your Vitest major version (1.x, 2.x, or 3.x). 2. Update to the patched version: npm update vitest@^1.6.1 or npm update vitest@^2.1.9 or npm update vitest@^3.0.5. 3. Restart any running Vitest processes.
🔧 Temporary Workarounds
Disable API Server
allDisable the Vitest API server to prevent WebSocket exposure
Set api: false in vitest.config.js or remove --api flag from startup
Network Isolation
allRestrict network access to Vitest API server
Use firewall rules to block external access to Vitest WebSocket port (default varies)
🧯 If You Can't Patch
- Disable the Vitest API server completely in configuration
- Ensure Vitest only runs in isolated network segments without internet access
🔍 How to Verify
Check if Vulnerable:
Check if Vitest version is below 1.6.1, 2.1.9, or 3.0.5 AND api option is enabled in configurationCheck Version:
npx vitest --version or check package.jsonVerify Fix Applied:
Verify Vitest version is 1.6.1+, 2.1.9+, or 3.0.5+ and test that WebSocket connections now require proper origin validation📡 Detection & Monitoring
Log Indicators:
- Unexpected WebSocket connections to Vitest API
- Unusual test file modifications
- Unexpected test execution events
Network Indicators:
- WebSocket traffic to Vitest port from unexpected origins
- saveTestFile API calls followed by rerun API calls
SIEM Query:
websocket.destination_port: [vitest_port] AND NOT websocket.origin_header: [expected_origins]🔗 References
- https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46
- https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76
- https://github.com/vitest-dev/vitest/security/advisories/GHSA-9crc-q9x8-hgqq
- https://vitest.dev/config/#api
